Update: [Sun Jan 5 00:29:17 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-05 00:29:17 +00:00
parent d142c0ebaa
commit 399ee7d20c
23 changed files with 2976 additions and 2976 deletions
--- a/waf_patterns/nginx/attack.conf
+++ b/waf_patterns/nginx/attack.conf
@@ -2,26 +2,6 @@
 location / {
    set $attack_detected 0;

-    if ($request_uri ~* "!@eq 0") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "!@within |%{tx.allowed_request_content_type_charset}|") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
-        set $attack_detected 1;
-    }
-
    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }
@@ -126,6 +106,26 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "!@eq 0") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "!@within |%{tx.allowed_request_content_type_charset}|") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
+        set $attack_detected 1;
+    }
+
    if ($attack_detected = 1) {
        return 403;
    }